Many computer servers, such as those hosting or serving websites, require user authentication before a user's client device is given access to information on the server. A typical user login procedure requires a user to provide a user name and a password.
For additional security, some systems require two factor (also known as second factor) authentication. For example, the system requires a code from a user, such as one that is generated by a separate one time password hardware device, that is received via text message on a user's phone, or that is generated by an authentication app on a mobile device.
Some servers, such as financial institution servers, require a user to pick an image from a number of images available on the server. These images are sometimes called site keys. That way, the user can be assured of connecting to a legitimate server or website instead of entering credentials on an imposter web page. This reduces the risk of loss due to theft by criminals who steal login credentials of users through imposter web pages and then log in to the legitimate server using the stolen login credentials. For example, sometimes the users are directed to imposter pages with phishing scams. The user may receive a fake email that appears to come from the user's financial institution or some other legitimate source that contains a link to an imposter web page and that instructs them to act.
However, such security images do not always provide the intended security benefits. A hacker can use a man-in-the-middle attack that removes the SSL (Secure Sockets Layer). SSL is the standard security technology for establishing an encrypted link between a web server and a browser. The SSL is what ensures that data passed between the web server and browsers remain private. The only visible indication of the attack is the lack of an “s” in the browser's address bar. In other words, “http” appears instead of “https.” HTTPS indicates Hyper Text Transfer Protocol Secure as opposed to regular Hyper Text Transfer Protocol. This is a minor difference that may easily go unnoticed.
Alternatively, the imposter web page may not show any security image at all, and simply try to persuade the user that there is some legitimate reason why there is no security image, such as because the image displaying system is down for maintenance. Thus, such website security images selected from a plurality of website-provided images can be ineffective.